R·I·T
Institute Audit, Compliance & Advisement Newsletter
Quaestor Quarterly
the
Volume 2, Issue 4
October 2007
quaes· tor [kwes'tôr] ‘one who asks questions’
Is a Policy Required for Common Sense?
IACA is comprised of a group of internal audit professionals with nearly 100 years of
combined experience. Our work exposes us to many best practices and examples of good
internal controls, as well as the “unusual” activity that seems to indicate an apparent lapse
of common sense. Upon inquiry of something appearing “unusual,” we often learn that the
activity resulted because there was no policy stating that it could not be done that way.
Policies often build internal controls into the process. All of us are expected to be
fiduciaries of RIT’s assets. Those assets include the bricks surrounding us, the chairs we sit
in, and the dollars embedded in budgets funding our operations. Protecting those assets
often requires the application of common sense. Here are a few examples of what I mean.
There is no policy for not spending down available budget dollars at the end of the fiscal
year; in fact, typically the mindset is “if you don’t use it, you lose it.” However, common
sense should tell someone that any leftover funds will still go to a good cause, one that will
further RIT’s mission. Who really needs 4,500 pads of sticky notes in storage anyway?
There is no policy to “Buy RIT,” but common sense should tell someone that it’s better to
keep the funds internal than to pay external vendors, if possible. For example, it is better
to use RIT’s Brick City Catering than to use Uncle Lou’s Backyard BBQ Creations.
Inside This Issue
Word on the Street
2
My Two Cents
2
Control of the Quarter
3
Pop Quiz
4
While we are talking food, realize that there IS a policy requiring outside caterers to be
fully inspected, licensed, and insured. So, common sense should tell someone that the
financial and reputational risk to RIT could be huge if Uncle Lou’s uninsured, unlicensed
and uninspected creations introduced a food borne illness outbreak.
There is no policy prohibiting the purchase of employee birthday gifts with RIT funds.
However, common sense should tell someone that spending $85 on the departmental
procurement card for someone’s birthday is not a good use of RIT money. Gifts are a
personal gesture and should be paid for as such.
A campus-wide conflict of interest policy has been developed, but has not been implemented fully at this point. However, common sense should tell someone not to use their
(continued on page 2)
Is A Policy Required… ?
Page 2
(continued from p. 1)
brother’s machine shop to fabricate parts for installation on a sponsored research
project’s fabricated equipment if their paycheck is funded by that research project.
Other campus-wide policy-type activities currently not in place, but being developed,
include Disaster Recovery/Business Continuity and Record Retention. Common sense
should tell someone that they are still good ideas and practices, and that they are a
department’s, college’s, or division’s responsibility to implement until a campus-wide
policy or procedure is put in place.
As I mention in the IACA Internal Controls training sessions offered through the Center
for Professional Development, many internal controls are simply common sense. Understanding the potential effect that each action could lead to will help everyone be better
fiduciaries of RIT’s assets.
~ Patrick M. Didas, Associate Director
Word on the Street
Occupational fraud
can be found in any
workplace. Whether
an organization is a
non-profit entity
such as a university
or a large for-profit
corporation, fraud
has occurred and
continues to occur.
To learn more about
occupational fraud, sign
up for Fraud in the
Workplace Training.
Upcoming Sessions:
December 13, 2007
9:00 am - 11:00 a.m.
Location: CIMS 2140
March 13, 2008
9:00 am - 11:00 a.m.
Location: CIMS 2140
May 29, 2008
Time: 9:00 am - 11:00 a.m.
Location: CIMS 2140
Sign up at the CPD website
https://finweb.rit.edu/cpd/
leadership/fraud.html
The Center for Intercollegiate Athletics and Recreation had the opportunity to work with
IACA during the 2006-07 academic year. The focus of the review was on the RIT NCAA
Division I Men's Ice Hockey program. We have come to understand that the scope of the
program and the impact of every activity associated with it has now been elevated to another level. Compliance issues and requirements in Division I are very detailed and explicit. Therefore, we felt it was time to have the IACA team work with us to review our
practices and procedures relative to NCAA compliance. In doing so, we would lay the
groundwork for a fully compliant program and thereby reducing risk of costly violations.
We found the IACA team to be very user friendly. They worked “with us” to review our
compliance procedures. We received some wonderful, positive reinforcement regarding
our current efforts while identifying opportunities to further improve our program. As a
result, we are now in a far better place. We enjoyed working with the IACA team. We
feel confident that what has been recommended and implemented has put us much further along than we might have been without their assistance.
We are thankful to have such a service available to us right here at RIT.
~ Lou Spiotti, Jr., Director
Intercollegiate Athletics and Recreation
My Two Cents
I want to share with you our recent experience with the RIT Co-op program. We all
know that the RIT Co-op program is one of the defining attributes of our university and I
am here to say that if other employers’ experiences were as terrific as ours has been,
then RIT is providing its students with the absolute best experiences possible.
During the Winter, Spring and Summer quarters last academic year, IACA employed
Saunders College of Business Accounting program student Julia Smith. In a very short
time, Julia became an integral part of our small department. After her one-week IACA
orientation was complete, she effectively assisted our permanent staff with the following
activities:
(continued on page 4)
Volume 2, Issue 4
October 2007
Control of the Quarter
Page 3
In the last few newsletters we’ve been discussing the five interrelated components of internal control designed to identify risk factors that cause or may result in fraudulent financial
reporting. The control components, which are derived from the way management runs an
organization, include:
1.
Control Environment
2.
Risk Assessment
3.
Control Activities
4.
Information and Communication
5.
Monitoring
We previously covered the “control environment,” which sets the tone of an organization,
influencing the control consciousness of its people; and “risk assessment,” which includes
the identification and analysis of relevant risks to achieving the organization’s objectives. In
this issue of the Quaestor we’ll cover “control activities” – the policies and procedures that
help ensure management directives are carried out.
Based on the objectives of the organization to which they relate, control activities may be
divided into three categories including operations, financial reporting and/or compliance. By
design, control activities help ensure that necessary actions are taken to address risks to
achievement of the University’s objectives.
Control activities occur throughout the organization, at all levels and in all functions. They
comprise a wide and diverse range of activities including:
•
Approvals
•
Authorizations
•
Verifications
•
Reconciliations
•
Reviews of operating performance
•
Security of assets
•
Segregation of duties
Ensure that your
department has
established and is
maintaining good
internal controls.
To learn more about
internal controls, sign up
for Internal Controls
Training.
Upcoming sessions:
November 15, 2007
9:00 AM - 11:00 AM
Location: CIMS 2140
December 20, 2007
2:00 PM - 4:00 PM
Location: CIMS 2140
Control activities must be evaluated periodically to determine whether they relate to the
risk assessment process, if they are appropriate to ensure that management’s directives are
carried out and finally, whether they are being properly applied.
February 28, 2008
9:00 AM - 11:00 AM
Location: CIMS 2140
In the next newsletter we’ll discuss information and communication, the 4th control
component.
April 29, 2008
9:00 AM - 11:00 AM
Location: CIMS 2140
~ Controller’s
Office
Sign up at the CPD website
https://finweb.rit.edu/cpd/
leadership/cares.html
My Two Cents
Page 4
Ask the
Auditor ~
Submit a question to the IACA webpage
http://finweb.rit.edu/iaca/forms/ask/
by 11/30/07. If your question is chosen
for publication in our newsletter, you
will receive a prize valued at $15.
IACA TEAM:
Steven M. Morse ‘86, CPA
executive director
475-7943
•
Audits
•
Questionnaire Reviews
•
Audit Issue Follow-up
•
Special Projects
(continued from p. 2)
Being a small department, IACA is able to provide truly meaningful work experiences
to Co-op students because they need to become one of us during their Co-op block we need them to help us get the work done.
Julia came to IACA armed with the necessary knowledge and skills (thank you,
Saunders COB), positive attitude and a willingness to learn (thank you, Julia) so she
was able to hit the ground running and to provide us with immediate assistance.
In addition to having an outstanding student at our disposal, the IACA staff worked
closely with Julia to provide the mentoring required to ensure that she would rise to
her potential.
I think for us, the perfect end to Julia’s Co-op experience was her announcement that
she had in fact accepted an internal audit position at a new publicly-held corporation
that was building an internal audit function.
I believe that what I have described here is just one of the thousands of wonderful
Co-op experiences that have happened previously for RIT students. It is the ultimate
win-win situation for our students and employers, and in this case IACA.
Patrick M. Didas ‘90, CPA, CFE
associate director
475-6826
Wendy J. Roy, CPA
senior internal auditor
475-7011
~ Steven
Pop Quiz
The first reader to correctly answer the question below will win a prize worth $10.
Question: On average the most expensive corruption scheme committed
by employees of an organization is...
A. Bribes and kickbacks
Nancy A. Nasca, CPA
B.
senior internal auditor
Economic extortion
475-5293
C. Undisclosed conflicts of interest
Elisa M. Cockburn, CPA
See our Quiz webpage to post your answer:
senior internal auditor
475-7849
Christine M. VanHemel
staff & audit assistant
475-7647
R·I·T
M. Morse, Executive Director
D. Accepting illegal gratuities
https://finweb.rit.edu/iaca/forms/quiz/index.cfm.
The winner’s name and answer will be included in the
next newsletter.
•
Congratulations to Francine Smeltzer, Sr. Staff Assistant, Center for Quality and
Applied Statistics, for being the first reader to correctly answer the July issue Pop
Quiz question.
The question and the correct answer for July:
“On average, the most expensive asset misappropriations committed by a
company’s employees involve…”
C. Billing schemes